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Abstract. We propose a pseudo-primality test using cyclic extensions of Z/nZ. For every 
positive integer k ^ logn, this test achieves the security of k Miller- Rabin tests at the cost 
of fcV2+°(i) Miller-Rabin tests. 



1. Introduction 

Pseudo-primality tests. The most commonly used algorithm for prime detection is the so 
called Miller-Rabin test. It is a Monte Carlo probabilistic test of compositeness, also called 
a pseudo-primality test (see Papadimitrou's book [14, page 254] for the definition of a Monte 
Carlo algorithm). A pseudo-primality test is a process based on a mathematical statement, 
the compositeness criterion, which gives a forecast (prime or composite) about a given integer 
n. From the compositeness criterion, one constructs for every odd integer n, a finite set W n 
of witnesses, and a map 

Pn : W n — > {composite, prime} 
which provides information about the compositeness of n from witnesses x in W n . When n is 
prime P n (x) = prime for every witness x in W n . So there are only good witnesses in that case. 
If n is composite, a; is a witness in W n , and P n (x) = prime we say that x is a bad witness. 
The test picks a random witness x in W n and evaluates ~P n (x). Two important characteristics 
of a pseudo-primality test are the run-time complexity n \— > T(n) of the algorithm evaluating 
P„, and the density n >-> /j,(n) of bad witnesses. 

To be quite rigorous, we do not need to be able to evaluate P n in deterministic time T(n). 
We are content with a Las Vegas probabilistic algorithm that on input n, runs in time T(n), 
and returns with probability ^ 1/2 at least one of the following two things 

• a proof that n is composite, 

• the value of P n at a random (with uniform probability) element in W n . 

If this is the case, we say that the test P has complexity n *— > T(n) and density n i— > /u(n). 
See [14, page 256] for the definition of a Las Vegas algorithm. 

The Miller- Rabin test. We assume n is odd. The set W n of witnesses for the Miller- Rabin 
test is (Z/nZ)*. The associated map 

MR n : (Z/nZ)* — > {composite, prime} 

is defined by MR n (x) = prime if and only if x m = 1 or x m2 ' = — 1 for some ^ i < k. Here 
m is the largest odd divisor of n — 1 and n — 1 = m2 k . We call MR n a Miller-Rabin map. 
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It is clear that if n is prime then MR(x) = prime for every x in W n . In case n is composite, 
the density [ly^in) of bad witnesses is bounded from above by 1/4 (see [15, Theorem 2.1]). 
It will be important for us that this density is actually bounded from above by 2 1_ * (see [15, 
proof of Theorem 2.1]) where t is the number of prime divisors of n. The complexity Tmr(^) 
is bounded from above by (logn) 2+ °^ using fast exponentiation and fast arithmetic. If we 
run k independent Miller-Rabin tests, the probability of missing a composite number is ^ 4 _fc 
and the complexity is fe(log n) 2+o( - 1 \ 

A faster pseudo-primality test. In this article we prove the following theorem. 

Theorem 1 (A faster test). There exist a function e : R — > R in the class o(l) and a 
probabilistic algorithm (described in Section 5.1) that takes as input an odd integer n and an 
integer A such that 1 ^ A ^ logn, runs in time 

T= (logn) 2+£ ( n )A^ +£ ( A \ 
an returns prime always if n is prime, and with probability 

sC 2 _A 

if n is composite. 

This algorithm achieves the security of A/2 Miller-Rabin tests at the cost of A 1 / 2-1-0 ^ such 
tests. The two main ingredients of our test are the product of pseudo-primality tests and a 
primality criterion involving an extension of the ring 7LjnL. 

Products. We introduce the associative composition law 

V : {composite, prime} x {composite, prime} — > {composite, prime} 

with table 



V 


composite 


prime 


composite 


composite 


composite 


prime 


composite 


prime 



Let r ^ 2 be an integer and let P l n : — > {composite, prime} be r pseudo-primality tests. 
One defines the product test 

Pn = Vi^j^ r P^ 

as 

P n : W n = W„ x W 2 x • • • x W n 9- {composite, prime} 

(SC]., ... , X r ) I 9- Vi^rP^Xj). 

A witness for P is an r-uple of witnesses, one for each of the r tests P^, . . . , P^. For 
n composite, a witness is bad if and only if all its r coordinates are bad witnesses. So the 
density of bad witnesses is the product of all the densities for every tests. And the complexity 
is bounded by the sum of all r complexities, times [log 2 r] + 1. This last factor is natural 
when chaining Las Vegas algorithms. In order to make sure that the resulting algorithm still 
succeeds with probability ^ 1/2 we must repeat a little bit every step. As a special case, we 
consider the r-th power V r P of a single test P with complexity T and density [i. The density 
of bad witnesses for V r P is equal to //, and its complexity is r x T x ([log 2 r] +1). 
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A compositeness criterion. The test in Theorem 1 is based on the following compositeness 
criterion. 

Theorem 2 (Compositeness criterion). Let n ^ 2 be an integer. Let S D "L/iiL be a faithful, 
finite, associative, commutative Z /nZ- algebra with unit. Let a be an Z/nZ-endomorphism of 
S. Let Q C S be a subset of S such that the smallest Z/nZ-subalgebra of S containing Q and 
stable under the action of a is S itself. Assume u n = ct(uj) for every u) in 0. If n is prime, 
then for every x in S we have x n = a{x). 

Proof. Let T be the subset of S consisting of all x such that x n = o~(x). Clearly T contains £1. 
If n is prime, then T contains Z/nZ and is stable under addition, multiplication, and action 
of o~. So T = S and we have x n = o~(x) for every x in S. 

□ 

Theorem 2 provides a compositeness criterion since the existence of an x in S such that 
x n ^ o~(x) implies that n is not a prime. We call the associated pseudo-primality test a 
Galois test. The set W n of witnesses is the group S* of units in S. The map P n is defined by 
Pn(a ; ) = prime if o~(x) = x n and P n ( x ) = composite otherwise. In that situation, we call P n 
a Galois map. In case n is composite, those x in S for which 

x n = a{x) (1) 

are the bad witnesses. 

Plan. We will show in Section 2 that one can bound from above the density of bad witnesses 
among the units of the algebra S in Theorem 2, at least when 5 is a cyclic extension of 
Z/nZ. We will use the Galois module structure of the unit group of such an extension. The 
resulting pseudo-primality test is presented an analyzed in Section 3. Section 4 explains how 
to efficiently construct the cyclic Z/nZ-algebras required by our test. Theorem 1 is proven 
in Section 5.1. Implementation details are given in Section 5.2. We present the results of our 
experiments in Section 6. 

Context. There exist many (families of) algorithms for prime detection. A recent survey 
can be found in Schoof's article [15]. The first polynomial time deterministic algorithm for 
distinguishing prime numbers from composite numbers is due to Agrawal, Kayal and Saxena 
[2]. An improvement of this algorithm, due to Lenstra and Pomerance [12], has determin- 
istic complexity (log n) &+olyl \ This is the best known unconditional result for deterministic 
algorithms. There exists a deterministic algorithm with complexity (logn) 4+ °( 1 ) under the 
generalized Riemann hypothesis, as observed by Miller in [13]. Dan Bernstein has found 
[5] a Las Vegas probabilistic algorithm with complexity (log n) i+olyl \ See also Avanzi and 
Mihailescu [4]. The correctness and running time of this algorithm does not depend on the 
truth of any unproved conjecture. It is unconditional. 

Notation. In this paper, the notation stands for a positive absolute constant. Any state- 
ment containing this symbol becomes true if the symbol is replaced in every occurrence by 
some large enough real number. Similarly, the notation e{x) stands for a real function of the 
real parameter x alone, belonging to the class o(l). 
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2. Cyclic extensions of Z/nZ 

Let n ^ 3 be an odd integer and set R = Z/nZ. A cyclic extension of R is a Galois 
extension S of R in the sense of [8, Chapter III], with finite cyclic Galois group Q. We denote 
by d the order of Q, and let a be a generator of it. The Galois property implies [8, Chapter 
III, Corollary 1.3] that S is a projective i?-module of constant rank d. Since R is semi-local 
we deduce [6, II. 5. 3, Proposition 5] that S is free of rank d. The sub-algebra consisting of 
elements in S fixed by a is R itself [8, Chapter III, Proposition 1.2]. And S is a separable R- 
algebra in the sense that it is projective as a module over S®rS. We deduce [3, Theorem 2.5.] 
that S is an unramified extension of R. And S is a free i?[^]-module of rank 1. Equivalently 
there exists a normal basis [7, Theorem 4.2.]. In this section we study the group of units of 
such an algebra and count the solutions to Equation (1) in it. In Paragraph 2.1 we localize 
at a prime p and we study the Frobenius action on the residue algebra. We decompose the 
unit group as a direct product. The p-part is studied in Paragraph 2.2, and the prime to 
p-part is studied in Paragraph 2.3. In Paragraph 2.4 we deduce an estimate for the number 
of bad witnesses. We refer to the book by DeMeyer and Ingraham [8] for general properties 
of Galois extensions, and to Lenstra [10, 11] for their use in the context of primality testing. 

2.1. The structure of S* as a Z[£/]-module. We write n = Yi p P Vp the prime decomposition 
of n. If p and q are two distinct primes dividing re, then p Vp S + q Vq S = S. Furthermore, the 
intersection of all p Vp S for p dividing n is zero. So S is isomorphic to the product 

ns/p v *s=ns P , 

p\n p\n 

and this decomposition is an isomorphism of Z[<5] -modules. So we can and will assume now 
that re = p v is a prime power. 

We set L = S/pS and K = R/pR = Z/pZ. Since pS n R = pR, the ring L is a faithful 
K-algebra. The i?-automorphism a : S — >■ S induces a K-automorphism of L that we call 
a also. The K-algebra L has dimension d and is Galois with group Q [11, Proposition 2.7.]. 
From K = L e we deduce [6, Chapitre 5, paragraphe 1, numero 9, proposition 22] that L is 
integral over K. Let p be a prime ideal in L. The intersection pnK is a prime ideal in K, so it 
is equal to 0. Since is maximal in K, the ideal p is maximal in L [6, Chapitre 5, paragraphe 
2, numero 1, Proposition 1]. Thus L is a ring of dimension 0. Since L is noetherian, it is 
an artinian ring [6, Chapitre 4, paragraphe 2, numero 5, Proposition 9]. The automorphism 
a acts transitively on the set of prime ideals in L [6, Chapitre 5, paragraphe 2, numero 2, 
Theoreme 2]. We denote by Q z (resp. Q T ) the decomposition group (resp. inertia group) of 
all these prime ideals. The Galois property [8, Proposition 1.2] implies that the inertia group 
is trivial. Let / be the order of Q z . We check that d = fm where m is the number of prime 
ideals in L. Let po, pi, . . . , p m _i be all these prime ideals. They are pairwise comaximal: for 
i j we have pi + pj = L. The radical of L is 

m = n ^= n p*=°' 

because L is unramified over K. So the map 

l — > n l/p, 
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is an isomorphism of Z[£/^]-modules. For every i in {0,1,... , m — 1}, the decomposition 
group Q z is isomorphic to the group of K-automorphisms of the residue field Mj = L/pj 
[6, Chapitre 5, paragraphe 2, numero 2, Theoreme 2]. The Frobenius automorphism <£j of 
Mj = L/pj is the reduction modulo pj of some power a z ' m of a generating Q . Especially, 
for every a in L, one has a z ° m {a) = aP mod po for some integer zq. We let a act on the above 
congruence and deduce that z$ = z\ = ■ ■ ■ = Zd-\ mod / because a acts transitively on the 
set of primes. So there exists a prime to / integer z such that for every element x in L we 
have 

x p = a zm (x) . 

We set 

U = {x € S\x = 1 mod p}. 

This is a subgroup of the group S* of units in S, and even a Z[£?]-module. We have an exact 
sequence of Z[C7] -modules 

1 -> U -> 5* -> (5/p5)* -> 1. 

While the group U is a p-group, the group (S/pS)* = L* has order prime to p. So U is 
the p-Sylow subgroup of S* . We denote by V the product of all g-Sylow subgroups of S* for 
q ^ p. Then 

S* = UxV (2) 

and this decomposition is an isomorphism of Z[£/] -modules because both U and V are char- 
acteristic subgroups of S* . Furthermore, V is isomorphic to (S/pS)* as a Z[C?]-module. We 
study either factors separately. 

2.2. The structure of U. The two maps 

Log : U ^ P S 

-r / \ (1 ~ xf 
x i — Log(x) = - 2^ 7 

and 

Exp : p5 *~ U 

x i — Exp(x) = 1 + 

are well defined. They are indeed polynomial maps (recall that p is odd). In particular, both 
maps are equivariant for the action of Q. So Log is an isomorphism between the Z[£7] -modules 
(U, x) and (pS,+). And Exp is the reciprocal map. 

2.3. The structure of V. Let p be a prime in S above p. We set M = S/p. Recall that 

pS= J] a k (p), 

and there exists a prime to / integer z such that for every element x in S we have 

x p _ a zm (x} m od p. 

Let 1 ^ i ^ / — lbe the inverse of z modulo /. Note that if / = 1, we have z = t = 0. We 
turn M m into a Z[Q] -module by setting 

a.(x ,x x , . . .,x m -i) = (x!,x 2 , . . . ,x m _i,xg ). (3) 
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The map 

S/pS ^ (S/pS) m 

xi (a k (x) mod p) ^ m _ 1 

is an isomorphism of Z[C?]-module between S/pS and M m . So V and (M*) m are isomorphic 
as Z[C?]-modules. 

2.4. Counting bad witnesses. We now show that in many cases one can bound from above 
the density of bad witnesses among the units of S. 

Theorem 3 (Density of bad witnesses). Let A > 2 and B ^ 3 be two real numbers. Let n ^ 3 
be an integer. Assume that every prime dividing n is bigger than or equal to B. Assume that 
n is not a prime power. Let S D Z/raZ be a cyclic (Z/nZ)- algebra of dimension d. Let a be 
a generator of the Galois group Q. Assume that n has a prime power divisor p v satisfying 

. A log n , . . 

vlogp ^ — - — . (4) 

Then the density 

_ #{x £ S*\a{x) =x n } 
^ ~ #S* 
of bad witnesses among the units of S is such that 

US < V 2 A B ^ n 2 A B ■ (5) 

Proof. We count the solutions to Equation (1) in S*. Since S is isomorphic to the product of 
all S p for p a prime dividing n, we fix such a prime p and count the solutions to Equation (1) 
in Sp. Using the decomposition in Equation (2) we then reduce to counting solutions in the 
subgroups U and V. 

If x £ U is a solution to Equation (1) then x n = x. Since U is a p-group and p divides n 
we deduce that x = 1. 

According to Section 2.3, the i2[C?]-module V is isomorphic to [(S/pS)*] m where m is the 
number of prime ideals in S above p, and p is one of them, and the action of Q is given by 
Equation (3). It is clear that any solution x to Equation (1) in the latter i?[C/]-module is 
characterized by its first coordinate xq and this coordinate must be a \n m — p*|-th root of 
unity in the field S/pS. Since the latter field has cardinality pf we deduce that the number 
of solutions to Equation (1) in V is 

gcd(n m - p l ,p- f - 1). 
The density of bad witnesses is thus 

n gcd(n m -p\pf - 1) 
(pf - l)m p (v-l)d ' W 

p\n 

where the integers /, m, v and t depend on p. This density is bounded from above by any 
term in the product (6). So let p be a prime divisor of n such that vlogp H gn . Let m be 
the number of prime ideals in S above p. 

We first assume that m ^ 2, so p splits in S. Then the density of bad witnesses is bounded 
from above by l/(pf — l) m_1 p( v ~ 1 ) d . We check that 

2 



N - 1 ^ iV (1 ~s), (7) 
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for every integer N ^ B. So pf — 1 p-^ 1 s). Since m — 1 ^ ?n/2, we find 

MS < l/p^ 1 -*)+("- 1 ) d . 

The result follows. 

We now assume that m = 1, so p is inert in 5" and f = d. We first prove the following 
inequality 

gcd(n -p l ,p d - 1) ^ rap^. (8) 

Indeed, if 1 ^ t ^ |, Inequality (8) is granted because 1 ^ \n — p l \ ^ max(n,p') ^ np l . In 
case 5 < i ^ d — 1, we call w the unique integer in [l,d[ that is congruent to —t modulo d. 
We have 

gcd(n -p\p d - 1) = gcd(np™ - l,p d - 1). (9) 

Since w ^ (d — l)/2, the right hand side of (9) is bounded from above by npz as was 
to be shown. So Inequality (8) holds true in either case, and Inequality (5) follows using 
Equation (6), Equation (4), and Inequality (7). 

□ 



3. An efficient pseudo-primality test 

A consequence of Theorem 3 is that a compositeness criterion as Theorem 2, when im- 
plemented with a cyclic (Z/nZ)-algebra of dimension d, is efficient, provided n has a large 
prime power divisor p v . On the other hand, we saw in Section 1 that the Miller- Rabin test is 
efficient when n has many prime divisors. Combining these two tests we can construct a new 
probabilistic pseudo-primality test that takes advantage of either situation. 

Fix two real numbers A and B such that A > 2 and B ^ 4A/ (A — 2). In particular B > 4. 
Set C = 1 — 2/A — A/B and note that C is positive. 

Let n be a positive integer. We assume n is not a prime power, and every prime dividing 
n is bigger than or equal to B. We choose two positive integers r and d and we construct 
a pseudo-primality test which is the product of r Miller-Rabin tests and a Galois test of 
dimension d. We let 5 = log(d/j4)/loglogn so 

d = A(logn) s . 

We let p = log(2A~ 1 r log 2)/(log log n) so 

_ A(\ogn) p 
r ~ 2 log 2 

(log n) 5+p < Clog n, (10) 



We assume 



or equivalently 



d J 2 log 2 

We call Pi : ((Z/nZ)*) r — > {composite, prime} the product of r Miller-Rabin maps. And 
P2 : S* — > {composite, prime} a Galois map as in Theorem 2, associated with a cyclic algebra 
of dimension d. We set P = Pi V P2. The density of bad witnesses for P is bounded from 



p ^(I-^-b) =exp (_-(! _ - - -)( logn )<5+^). (11) 
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above by the densities of bad witnesses for Pi and P2. Let p v be the largest prime power 
dividing n. We set it = log(ulogp)/loglog(n), so 

log;/ = (logra) 71 ". 

The number t of prime divisors of n satisfies 

t > (logn) / [vlogp) = (logn) 1_7r . 

If 

6 + tt ^ 1, 

then vlogp ^ A - , and, according to Theorem 3, the density of bad witnesses for P2 is 
bounded from above by 

vdri 2 A\ . A. 2 

~2^~A B' 

On the other hand, the density of bad witnesses for every Miller-Rabin test is ^ 2~ t+1 . The 
density of bad witnesses for r such tests is at most 

< exp(-|(l - i)(logn) 1+ ^). (12) 

Although we do not know the value of tt, we can deduce from Equations (11) and (12) an 
upper bound for the density of bad witnesses of the product test P = Pi V P2. 

If 7r lies in [0, 1 — S[ then Equation (11) gives nothing and Equation (12) gives an upper 
bound 

exp(-^(l-^)(logn)" +5 ), 

for the density of bad witnesses for Pi. 

If 7T lies in [1 — 5, 1] then Equation (11) gives an upper bound 

exp(--(l - -j - — Jlogn), 

for the density of bad witnesses for P2. Using Inequality (10) we find the upper bound 

exp(-|(l-^)(logn)^), 

in that case. 

This discussion is illustrated in Figure 1 where the continuous line is the exponent of log n 
in Equation (12), the dashed line is the exponent of logn in Equation (11), and the bullet is 
the minimum of the maximum of the two functions. 

Theorem 4 (Density of the composed test). Let A and B be two real numbers such that 
A>2 and B ^ AA/{A - 2). Let 

C = 1 - 2/ A - 4/B. (13) 

Let n be an integer that is not a prime power. Assume that n has no prime divisor smaller 
than B. Let r and d be two positive integers such that 

, / A\ A 2 Clogn 

dr[l ^ — — (14) 

V d J 21og2 v ; 
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Figure 1. The Miller- Rabin (continuous) and Galois (dashed) densities. 

and let P be the composite test of r Miller-Rabin tests and one Galois test of dimension d. 
The density of bad witnesses for P is bounded from above by 

<C 2"~ (1 ~ d>. 

Taking A = 2.1, B = 1000, and d ^ 16, we have C 0.043619 and we obtain a density 
<; 2 -o.4i369rd provi d e d rd < 0.13875 logn. 

Taking A = 4, B = 1000, and d ^ 16, we have C ^ 0.496 and we obtain a density < 2" - 18rd 
provided rd ^ 5.72 logn. 

We note that the complexity of such a composed test is (logn) 2+£( - n - ) (r-|-(i 1+e ^^) under the 
condition that arithmetic operations in the Z/nZ-algebra S can be performed in quasi- linear 
time in the degree d. It is asymptotically optimal to take d and r as close as possible. We 
thus prove Theorem 1 provided we can efficiently construct a Galois extension of TLjnL with 
degree d in some interval [k, k l+e ^\. This is the purpose of the next Section 4. 

Heuristics. There are many possible choices for the parameters A, B, r and d when using 
Theorem 4. We will explain in Section 5.2 how to choose them optimally. Here we just collect 
a few simple minded observations on what could be a reasonable choice. We take 

B = 8000. (15) 

Taking a too large A is pointless. We recommend 

2 < A < 48. (16) 

In case we have a bigger value of A it will be more efficient to take smaller values for r and 
d and repeat the whole test. We also suggest that 

d ^ 2A, (17) 

otherwise we would better use r Miller-Rabin tests only, and obtain better security at lower 
cost. It is reasonable also to have 

d < r, (18) 
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because the r Miller-Rabin tests and the one Galois test have similar effect on the security. 
So the time devoted to the r Miller-Rabin tests should not be smaller than the time devoted 
to the Galois test. Assume we want to bound from above the error probability by 2~ A for 
some integer A. We must have 

rd , , . 

A <-(!--). (19) 



And we should have 



A v d 

£(1 <») 



in order not to waste time. 

We deduce from Equations (18), (20), (17), and (16) that 

d < 2VAX ^ U\/\. (21) 

We deduce from Equations (19), (14), (13), and (16), that 

A < (0.9995A - 2)i^p < 231og 2 n. (22) 

Under the reasonable hypotheses above, the smallest possible value for A when applying 
Theorem 4 is thus 

2 + - 2X . . ) /0.9995. 



So we recommend to take 
where 

is the number of bits of n. 



2+ 6~^T ' 



Llog 2 (n)J + 1, 



4. Constructing algebras 

In this section we prove the following theorem. 

Theorem 5 (Constructing algebras). There exist a function e : M. — > M in the class o(l) and 
a probabilistic (Las Vegas) algorithm that takes as input an odd integer n and an integer k 
such that 1 ^ k ^ logn, runs in time (log n) 2+£ ( n ), and returns with probability ^ 1/2 at least 
one of the following two data 

• A proof that n is composite, 

• A cyclic algebra S over "L/nL with degree d and Galois group Q = (a) such that 

k^d^k 1+£{k \ (24) 
and there exists a basis £1 of the 'L/nL-module S such that cr(uj) = oj n for every uj in 

n. 

Arithmetic operations in S are then performed in deterministic time (log n ) 1 + £ ( n )d 1 + e ( d ) . 

From Theorem 5 and Theorem 4 one can easily deduce Theorem 1. We prove Theorem 5 
in two steps. We first apply a single Miller-Rabin test to n. If n is composite we shall thus 
detect it with probability ^ 1/2 in probabilistic time (logra) 2+£ ( n ). So this copes with the 
case when n is composite. We then try to construct an (Z/?iZ)-algebra S. For the complexity 
analysis of this second step, we can assume that n is prime. 
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We shall use Kummer theory to construct an extension of Z/nZ with appropriate degree. 
This is a classical construction in this context. It appears in [1, 12] and even more explicitly 
in [5, 9]. We first construct a small cyclotomic extension R cyc , then a Kummer extension S 
of i? C yc- We let d cyc be the smallest positive integer such that the product Q of all prime 
integers q such that q — l|d cyc exceeds k. According to [1, Theorem 3] we have 

< (l O g£:) eiosloglos0fc . 

We call d^ um the smallest divisor of Q that exceeds k. We set d = aWn^cyc- It is clear that 
d satisfies Inequality (24). We first use the algorithms in [16] to find a degree d cyc unitary 
polynomial F{X) in Z/nZ[X] that is irreducible if n is prime. This takes probabilistic time 
4 y c 2+e(dcyc) ( 1 og n ) 2+e(n) * hat is (logn) 2+£ H We set 

R cyc = (Z/nZ)[X]/F(X). 

We set x = X mod F(X) and call a cyc : R cyc — > R cyc the (Z/nZ)-linear map that sends x % to 
x n% for ^ i ^ d cyc — 1. We check that c cyc is a morphism of (Z/raZ)-algebras. This boils 
down to checking that (J cyc {x l ) = x ni for d cyc ^ i ^ 2d cyc — 2. This takes time (logn) 2+£ ( n ). 
It is a matter of linear algebra to check that the fixed subalgebra by cr cyc is Z/nZ. It takes 
time (d cyc ) 3 (log ra) 1+e ( n ) = (logn) 1+£ ( n ). We pick a random u in i? C yc an d check that 

a cyc \u)-ueR* cyc (25) 

for every < i < d cyc . If n is prime then the density of such elements in R cyc is at least 1/2. 
So finding one of them takes probabilistic time (logn) 2+£ ( n ). 

We check that d kum divides n dcyc - 1. We check that <r cyc dcyc (x) = x. 

„dcyc _ 1 

We look for an element a in -R^yc such that £ = a d k Um has exact order cZkum- If ^ is prime, 
the density of such elements a in R* yc is ^ (logloglogn) -0 . We check that <r cyc (a) = a n . 
We set 

S = R cyc [Y]/(Y d ^ -a), 

and y = Y mod y dkum — a. Let r : 5 — > S be the unique endomorphism of ii cyc -algebra such 
that r(y) = Cy- The fixed subalgebra by t in S is Rc y c • 

There exists a unique endomorphism of (Z/?iZ)-algebra a : S — >■ 5 such that <r(y) = y" 
and the restriction of a to i? cyc is cr cyc . It is clear that a dcyc is r. Restriction to i? cyc gives an 
exact sequence 

1 -> (r) -> (<t) -> (cr cyc ) -> 1. 

So the order of <r is d = d^ um d cyc . Every element in S fixed by a is also fixed by r = cr rfkum . 
So it belongs to R cyc . But elements in R cyc fixed by cr cyc actually lye in Z/nZ. So 

S g = Z/nZ, (26) 

where Q is the group generated by a. Furthermore, for every < i < d^ um 

r\y)-y = (C-l)y€S*. (27) 

From (26), (25), (27) and [8, Proposition 1.2] we deduce that S is a Galois extension of 
Z/nZ with group Q. As for the basis O we can take the x l y 3 for ^ i < d cyc and ^ j < dkum- 
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Remark. We expect [1, Remark 6.3] that 

d cyc ^(21og4u m ) L51oglogl ° gdkum , 
for large enough k. This and Equations (21), (22) implies 

dcyc <: ( 9 + log6) 1.5xmax(l,logloglog68^/ici^) ^ ^ 

where b is the number of bits of n. We shall use this estimate in Section 5.2. 

5. AN ALGORITHM 
It is now possible to specify an algorithm. 

5.1. A theoretical algorithm. We prove Theorem 1 by describing the algorithm. The input 
consists of a large enough integer n and a bound A such that 1 ^ A ^ logn. The algorithm 
outputs either that n is composite or that n is a probable prime. The probability of missing 
a composite is at most 2~ A . 

The algorithm is the following. 

i) Check that n has no prime factor smaller than 1000. 

ii) Check that n is not a prime power. 

hi) Set k = max(16, LVAJ) and use the algorithm in the proof of Theorem 5 to construct 
a (Z/nZ)-algebra S with degree d such that k ^ d ^ k l+e ^ k \ 

iv) Set r = [A/(0.18 x d)]. 

v) Perform r Miller-Rabin tests. If one of them fails output composite. 

vi) Choose at random a non-zero z in S and check that it is invertible. If it is not, output 
composite. 

vii) Check that cr(z) = z n and output composite or prime accordingly. 

Applying Theorem 4 with A = 4 and B = 1000 we see that, for large enough n, the 
algorithm returns prime with probability ^ 2 _A when n is composite. It runs in time 
(logn) 2+e ( n U^ +£(A) because both d and r are < \h + < x ) . 

5.2. A practical algorithm. We let b be the number of bits of n. We assume A ^ 231og 2 n 
according to Equation (22). For higher security we may just repeat the test. We set B = 8000 

and A =(2 + ^) /0.9995 following Equations (15) and (23). 

The algorithm of Section 5.1 can be reformulated as follows. 

• Preliminaries. 

1) Check that n has no prime factor smaller than B. 

2) Check that n is not a prime power. 

3) Determine the integers d cyc , dkum arid r. 

• Miller- Rabin tests. 

4) Perform r Miller- Rabin tests. 

• Construction of the algebra R cyc . 

5) Find an "irreducible" polynomial F(X) of degree d cyc modulo n and construct 
the algebra i? cyc . 

6) Compute the action of the automorphism a cyc on every X 1 mod F(X) for i = 
0, . . . , 2id cyc 2. 

7) Check that the fixed submodule by <7 cyc in R cyc is TLjnL. 

8) Find a u in R cyc such that (T cyc *(n) — u is a unit for every 1 ^ i ^ d cyc — 1. 
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• Construction of the algebra S. 

rt d cyc _ 1 

9) Find an element a in R cyc such that £ = a 4™ has exact order dk ura . Check 
that o~ cyc (a) = a n . 

• The Galois test. 

10) Choose at random a non-zero z in S and check that it is invertible. 

11) Check that a(z) = z n . 

We now comment on each of these steps. 

5.2.1. Preliminary steps. 

Step 1: Check that n has no prime factor smaller than B. Recall that B = 8000. We compute 
once and for all the product of all the primes smaller than B and check that the gcd with n 
is equal to 1. If this is not the case, we stop and output that n is composite. 

Step 2: Check that n is not a prime power. For each integer d between 2 and b, we compute 
some integer approximation rj of the positive real y/n such that \rj — y/n\ ^0.6 (there exist 
fast methods based on Newton iterations for this task). Then we check that rj d is not equal 
to n. Otherwise we stop and output that n is composite. 

Step 3: Determine the integers d cyc , d^ um and r. We consider all the small integers d cyc , start- 
ing from 1 and ending at ^(9 + log 6) L5xmax(1 ' losloslog68 v /i °^")j according to Equation (28). 
For each d cyc , we enumerate the divisors dkum of n dcyc — 1 upper bounded by \2\J AX/d cyc \ 
according to Equation (21). We set d = d cyc x (ikum and r = \XA/(d — A)~] . 

This exhaustive search produces many 3-uples (d cyc , d^ um , r). Among these we select the 
one with the smallest estimated cost. The cost estimates are obtained from some systematic 
experiments with the available computer arithmetic (see Section 6 for our choices in a MAGMA 
implementation) . 

We compare then with the estimated cost of A/2 classical Miller-Rabin tests. If the latter 
are cheaper, we switch to these classical tests and output the result, otherwise we go to Step 4. 

5.2.2. Miller-Rabin tests. 

Step 4-' Perform r Miller-Rabin tests. Each of these r tests is a classical Miller-Rabin test as 
described in Section 1. 

5.2.3. Construction of the algebra R cyc . We skip the next four steps when d cyc = 1. 

Step 5: Find a unitary "irreducible" polynomial F(X) of degree d cyc modulo n. We use any 
efficient probabilistic algorithm A that produces a degree d cyc unitary irreducible polynomial, 
with probability ^ 1/2, provided n is prime. For n prime, A fails with probability ^ 1/2. In 
that case it returns nothing. If n is not prime, then A may return either nothing or a unitary 
polynomial of degree d cyc in (Z/nZ)[X]. 

We call B the algorithm consisting of A followed by a Miller- Rabin test. It returns with 
probability ^ 1/2 either a proof that n is not prime or a polynomial of degree d cyc in 
(Z/nZ)[X]. We iterate B until we get such an output. 

Step 5 thus provides either a proof of compositeness or a polynomial which we know to 
be irreducible in case n is a prime. As for the choice of A we distinguish several cases, for 
efficiency purposes. 
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• When d cyc = 2, we look for an element o with Jacobi Symbol (£) equal to —1 and we 
set F(X) = X 2 - o. Note that o is a quadratic non-residue when n is a prime. 

• When d cyc divides n— 1, we look for an element o such that o dc y c has order cZ oyo , and 
we set F(X) = X d ^ - o. 

• Otherwise, we test random unitary polynomials F(X) and we use the extended Eu- 
clidean algorithm to check that the ideal (X nl — X, F(X)) in (Z/nZ)[X] is one for all 
i from 1 to |_<icyc/2j ■ If we test more than log(l/2)/log(l — l/2d) polynomials F(X), 
then the probability of success is ^ 1/2 provided n is prime. 

One may wonder why we incorporate a Miller-Rabin test in the loop. This is just to 
guarantee that we leave the loop in due time, even if n is composite. A similar caution should 
be taken in every loop occurring in the next steps. We only detail this here. In practice these 
Miller-Rabin test are completely useless. Indeed n is almost known to be prime and there is 
no risk that we keep blocked in such a loop. 

Step 6: Compute the action of the automorphism a cyc . We set x = X mod F{X) and write 
x tn in the polynomial basis (x k )k, for i from to d cyc — 1. This yields a d C yc x dcyc matrix 
over Z/nZ, that we denote M acyc . Using this matrix, we can check that <r C y C (x l ) = x in for i 
from d cyc to 2d cyc — 2, and a cyc dcyc (x) = x. If this is not the case, we stop and output that 
n is composite. 

Step 7: Check that a cyc fixes Z/nZ. We try to compute the kernel of M crcyc — Id, using Gauss 
elimination. It produces either the expected kernel or a zero divisor in Z/nZ. In the latter 
case we stop and output that n is composite. Once computed the kernel, we check that it is 
equal to Z/nZ. If it is not the case, we stop and output that n is composite. 

Step 8: Find a u in R cyc such that o~ cyc l (u) — u is a unit for every 1 ^ i ^ d cyc — 1. If n is 
prime then at least half of the elements in -R C yc satisfy the condition. So we pick at random 
u in i? C yc and test the condition. We iterate if it fails. We again add a Miller-Rabin test in 
the loop to make sure that it stops with probability ^1/2 even when n is composite. 

To check that a non-zero element z in Rcyc Is a unit we try to compute an inverse using 
extended Euclidean algorithm. If it returns an element z', we just need to check that zz' = 1. 
It it fails we know that n is not a prime and we stop. 

5.2.4. Construction of the algebra S. 

Step 9: Find an element Q of exact order d^ um in R cyc . We pick a random a in the algebra 
.R C yc an d compute C, = a^ ndcyc ~ 1 ^ dkum . If n is prime then the density of a such that the 
corresponding £ has exact order dkum is ^ (logloglogn)" . The test consists of checking 
that C 4 ™'/' - 1 is a unit, for every prime divisor q of dkum- We proceed as in Step 8. 

As above, we add a Miller-Rabin test in the loop to make sure that it stops with probability 
^1/2 when n is composite. 

We check that a cyc (a) = a n using the matrix M acyc . If this is not the case, we know that 
n is not a prime and we stop. 

5.2.5. The Galois test. 
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Step 10: Choose at random an invertible element in S. We pick a random non-zero z in S 
and try to compute the inverse z' of z with the extended gcd algorithm. If the extended gcd 
algorithm fails, or z' x z is not equal to 1, then we know that n is not a prime and we can 
stop. 

Step 11: Check that o~(z) = z n . On the first hand, we compute z n in S using fast exponenti- 
ation. On the other hand, we write z = Yli z i V % where Z{ € R cyc and y = Y mod Y dkum — a. 
Then, we compute a(z) as 

^2o- cyc ( Zi ) x y in 

i 

where <7 C yc(zi) is computed using the matrix M acyc . Note that y tn can be efficiently computed 
as a a yP where a (resp. /3) is the quotient (resp. the remainder) in the Euclidean division of 
in by d kum . 

If o~(z) is not equal to z n , we output that n is composite. Otherwise, we output that n is 
a Galois pseudo-prime. 



6. Experiments 

We first have determined power functions that best approximate the sub-quadratic timings 
that we have measured for elementary arithmetic polynomial operations in MAGMA V2.18-2. 
In our testing ranges, i.e. b between 512 and 8192 bits, d cyc between 1 and 16 and d kum 
between 8 and 1000, we have obtained the following upper bounds for the heaviest steps in 
the algorithm. 

• Step 4. Computing r Miller-Rabin tests: 



T UR (b,r) = F x r x b 



2.6 



• Step 5. Constructing an "irreducible" polynomial of degree d cyc modulo n (worst 
case): 

if d cyc = 1 , 



T F (b, d, 



eye) 



eye 

F x log 2 b x 6 2 - 6 if d cyc = 2 , 

18 F x log 2 d cyc x d cyc 2 ' 2 x b 2A for larger d cyc • 

• Step 9. Finding an element £ of order d^ um in R cyc (worst case): 

rfh a \ - I 19F x b2A [fdc y c = 1 ' 

l({0,a cyc ) - | x ^ 2 . 2 x ^2.4 otherwise . 

• Step 11. Computing a(x) in S: 

T , h r r s _ / F x d kum x b 2 ^ if d cyc = 1 , 

i«{o,a cyc ,a kum) - | 1QF x ^ x x ^2.4 otherwise . 

• Step 11 bis. Computing x n in S: 

. 19Fx d kum L2 x b 2A if d cyc = 1 , 

J P owerlo,a C yc,akumj - | p x ( dcyc x d kum ) L2 x b 2A otherwise. 

For the sake of completeness, we found that the constant F is equal to 30 x 10 -9 seconds on 
our laptop (based on a Intel Core i7 M620 2.67GHz processor). Note that the knowledge 
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of F is not necessary to perform the comparisons in Step 3, since all the estimated costs, 
especially Tmr(6, A/2) for A/2 Miller Rabin tests, and 

TmrQ), r) + Tp(b, dcy C ) + T^(b, d CJC ) + T a (b, d cyc , dkum) + 

for Galois tests, are known up to F. Our conclusions should thus be valid on any computer. 

The set of pairs (6, A) for which a Galois test is more efficient than A/2 Miller- Rabin tests 
is the pale domain in Figure 2. We observe that when b tends to infinity, then the value of A 
where the two methods cross tends to 47. 

10000 | , 1 




100 I 1 1 1 1 1 1 1 1 1 

630 1024 2048 4096 8192 16384 32768 65536 131072 

Number of bits b 

FIGURE 2. Ranges of efficiency for the Galois test 

A reasonably optimized implementation in MAGMA V2.18-2 is available on the authors' web 
pages for independent checks. In order to see how practical is this implementation, we have 
picked a few random integers of sizes ranging from 1024 to 8192 bits, and we have measured 
the timings for those which turn to be pseudo-primes. As expected, the cost ratio between 
A/2 Miller- Rabin tests and one equivalent Galois test increases with b. Results are collected 
in Table 6. 
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